Skip to main content

Python CVE-2026-34531

MEDIUM
Improper Authentication (CWE-287)
2026-03-31 https://github.com/miguelgrinberg/Flask-HTTPAuth GHSA-p44q-vqpr-4xmg
6.5
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
6.5 MEDIUM
AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:H/A:N
SUSE
MEDIUM
qualitative

Primary rating from GitHub Advisory.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:H/A:N
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
High
Availability
None

Lifecycle Timeline

3
Patch released
Apr 01, 2026 - 02:30 nvd
Patch available
Analysis Generated
Apr 01, 2026 - 00:30 vuln.today
CVE Published
Mar 31, 2026 - 23:48 nvd
MEDIUM 6.5

Blast Radius

ecosystem impact
† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth
  • 114 pypi packages depend on flask-httpauth (95 direct, 19 indirect)

Ecosystem-wide dependent count for version 4.8.1.

DescriptionGitHub Advisory

Summary

In a situation where the client makes a request to a token protected resource without passing a token, or passing an empty token, Flask-HTTPAuth would invoke the application's token verification callback function with the token argument set to an empty string. If the application had any users in its database with an empty string set as their token, then it could potentially authenticate the client request against any of those users.

Notes

  • This issue applies only to token authentication
  • This issue applies only when the application verifies tokens by searching for them in a user database.
  • This issue applies only if the application stores empty strings as user tokens when the user does not have an assigned token. It does not apply if the application sets those tokens to NULL instead.
  • Tokens that are verified through cryptographic means (such as JWTs) are not affected by this issue.
  • Basic and Digest authentication are not affected by this issue.

Remediation

To protect against this issue, developers should make sure that no user in the user database has their token set to an empty string. If there are such users, change the value of those tokens to NULL instead.

Alternatively, developers can upgrade their projects to Flask-HTTPAuth>=4.8.1, which fixes this issue.

AnalysisAI

Flask-HTTPAuth versions prior to 4.8.1 allow authentication bypass when applications store empty string tokens in their user database, enabling unauthenticated attackers to authenticate as any user with an empty token set by submitting requests without a token or with an empty token value. This affects only token-based authentication mechanisms that verify tokens via database lookup rather than cryptographic means (e.g., JWTs). CVSS score 6.5 reflects moderate integrity impact with low computational attack complexity, and no public exploit code has been identified at the time of analysis.

Technical ContextAI

Flask-HTTPAuth is a Python library that provides authentication decorators for Flask applications. The vulnerability exists in the token authentication verification flow where the library invokes the application's token verification callback with an empty string when no token or an empty token is provided in the request. The root cause is inadequate validation of token values before database lookup (CWE-287: Improper Authentication). Applications that use Flask-HTTPAuth's token_auth decorator with a custom verification callback that searches a user database for matching tokens are vulnerable if they store empty strings as sentinel values for users without assigned tokens, rather than using NULL or other non-empty defaults. The vulnerability does not affect JWT-based token verification or basic/digest authentication mechanisms, as these employ different validation logic.

RemediationAI

Vendor-released patch: Flask-HTTPAuth>=4.8.1. Applications using prior versions should either upgrade to version 4.8.1 or immediately remediate affected deployments by scanning the user database and replacing any empty string token values with NULL or a non-empty sentinel value (e.g., a UUID or specific placeholder string). Additionally, application developers should review their token verification callback implementations to add explicit validation that rejects empty token strings before database queries. See the GitHub security advisory at https://github.com/miguelgrinberg/Flask-HTTPAuth/security/advisories/GHSA-p44q-vqpr-4xmg for additional context and the upstream repository at https://github.com/miguelgrinberg/Flask-HTTPAuth for upgrade instructions.

More in Python

View all
CVE-2025-24016 CRITICAL POC
9.9 Feb 10

Wazuh SIEM platform versions 4.4.0 through 4.9.0 contain an unsafe deserialization vulnerability in the DistributedAPI t

CVE-2025-27520 CRITICAL POC
9.8 Apr 04

BentoML version 1.4.2 and earlier contains an unauthenticated remote code execution vulnerability through insecure deser

CVE-2025-2945 CRITICAL POC
9.9 Apr 03

pgAdmin 4 contains critical remote code execution vulnerabilities in the Query Tool download and Cloud Deployment endpoi

CVE-2013-5093 MEDIUM POC
6.8 Sep 27

The renderLocalView function in render/views.py in graphite-web in Graphite 0.9.5 through 0.9.10 uses the pickle Python

CVE-2025-32375 CRITICAL POC
9.8 Apr 09

BentoML is a Python library for building online serving systems optimized for AI apps and model inference. Rated critica

CVE-2014-0224 HIGH POC
7.4 Jun 05

OpenSSL before 0.9.8za, 1.0.0 before 1.0.0m, and 1.0.1 before 1.0.1h does not properly restrict processing of ChangeCiph

CVE-2024-21644 HIGH POC
7.5 Jan 08

pyLoad download manager version prior to 0.5.0b3.dev77 exposes the Flask SECRET_KEY through an unauthenticated endpoint.

CVE-2017-9462 HIGH POC
8.8 Jun 06

In Mercurial before 4.1.3, "hg serve --stdio" allows remote authenticated users to launch the Python debugger, and conse

CVE-2026-39987 CRITICAL POC
9.3 Apr 08

Unauthenticated remote code execution in Marimo ≤0.20.4 allows attackers to execute arbitrary system commands via the `/

CVE-2024-21645 MEDIUM POC
5.3 Jan 08

pyLoad is the free and open-source Download Manager written in pure Python. Rated medium severity (CVSS 5.3), this vulne

CVE-2026-33017 CRITICAL POC
9.3 Mar 17

Langflow (a visual LLM pipeline builder) contains a critical unauthenticated code execution vulnerability (CVE-2026-3301

CVE-2026-55255 HIGH POC
8.4 Jun 19

Cross-user flow execution in Langflow (< 1.9.1) lets any authenticated API-key holder run another user's flow by passing

Vendor StatusVendor

SUSE

Severity: Medium
Product Status
SUSE Package Hub 15 SP6 Fixed
openSUSE Leap 15.6 Fixed
openSUSE Tumbleweed Fixed
SUSE Package Hub 15 SP6 Fixed

Share

CVE-2026-34531 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy